I am relatively new to Windows Server and would like someone to confirm if my understanding of the permissions required for users to logon to a Windows 2008 R2 server on a Windows domain is correct:
-
Anyone in the Administrators group can log into the server physically at the server or through a remote mstsc window by specifying their username in Logon window.
-
The Administrators group can do everything the other groups can.
-
Anyone in the Remote Desktop group can run mstsc from a client computer and see the server's log on screen.
-
Anyone in the users group can log onto the server at its login screen.
So therefore the following scenarios are true:
-
User
DOMAIN\JOHN
is in the Remote Desktop Users onDOMAIN\SERVER1
group but not the users group on that server. UserDOMAIN\JANE
is in the users group but not the Remote Desktop Users group.- John can start an mstsc from
DOMAIN\PC1
asDOMAIN\JOHN
and he will see the login screen but will not be able to sign in asDOMAIN\JOHN
however, could sign in asDOMAIN\JANE
.
- John can start an mstsc from
-
User
DOMAIN\JAMES
is in the Administrators Group onDOMAIN\SERVER1
but not in the Users or Remote Desktop Users group. He will be able to start an mstsc session onDOMAIN\SERVER1
fromDOMAIN\PC2
asDOMAIN\JAMES
and see the login screen and login asDOMAIN\JAMES
. -
User
DOMAIN\JACK
is in the Users group onDOMAIN\SERVER1
but not in the Remote Desktop Users group. Jack can gain access to the server but only through physical access to the server itself (because he cannot get to the server via RDP). -
User
DOMAIN\JILL
is logged intoDOMAIN\PC1
, runs mstsc, enters the usernameDOMAIN\JOHN
in the Logon settings of mstsc, sees the server login screen and entersDOMAIN\JANE
and the server desktop appears.
Sorry if this seems fairly trivial but it is my understanding from a bit of reading and it would be great if someone could confirm if I am correct.
Best Answer
It depends.
The answer to your questions depends on whether the users and groups you are considering have the necessary User Rights to logon the computer.
Permission to log on a Windows Server is controlled via two Group Policy settings. They're both located at:
Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment
If you're instead editing Local Group Policy (vs. Domain GP), the settings are found at:
Local Policies/User Rights Assignment
The two settings and their function are as follows:
1. "Allow log on locally"
According to TechNet:
In other words, this controls who can logon via the computer's "physical" console. In the case of a virtual machine this would be a logon through the virtual machine management interface.
The above article confirms this right is not needed to establish a Remote Desktop session:
Unless the computer is a domain-member or Domain Controller computer:
2. "Allow log on through Remote Desktop Services"
According to TechNet:
The reason a user might be able to establish a Remote Desktop session but not be able to logon to the console is because the latter requires the "Allow log on locally" right, which as mentioned above, isn't required in all cases to logon remotely.
The TechNet articles linked above explain what users and groups are assigned these logon rights by default. However, by editing these two settings that can be changed. It is for that reason that the answer to your questions depends on how your server (and the domain it's in) is configured.